Separate on-demand scan template from DAST template

c9bb2be8 · Craig Smith · d607ea70 · c9bb2be8 · c9bb2be8 · c9bb2be8
Commit c9bb2be8 authored Nov 19, 2020 by Craig Smith
4 changed files
--- a/ee/app/services/ci/run_dast_scan_service.rb
+++ b/ee/app/services/ci/run_dast_scan_service.rb
@@ -17,13 +17,10 @@ module Ci

    def self.ci_template_raw
      <<~YAML
-        include:
-        - template: DAST.gitlab-ci.yml
        stages:
-        - dast
-        dast:
-          rules:
-            - when: always
+          - dast
+        include:
+          - template: DAST-On-Demand-Scan.gitlab-ci.yml
      YAML
    end


--- a/ee/changelogs/unreleased/dast_ondemand_scan_template_284983.yml
+++ b/ee/changelogs/unreleased/dast_ondemand_scan_template_284983.yml
+---
+title: Separate on-demand scan template from DAST template
+merge_request: 48088
+author:
+type: changed
--- a/ee/spec/services/ci/run_dast_scan_service_spec.rb
+++ b/ee/spec/services/ci/run_dast_scan_service_spec.rb
@@ -23,15 +23,6 @@ RSpec.describe Ci::RunDastScanService do
    it 'has only one stage' do
      expect(described_class.ci_template['stages']).to eq(['dast'])
    end
-
-    it 'has one rule is always true' do
-      rules = described_class.ci_template['dast']['rules']
-
-      aggregate_failures do
-        expect(rules.size).to eq(1)
-        expect(rules).to include('when' => 'always')
-      end
-    end
  end

  describe '#execute' do
@@ -96,8 +87,6 @@ RSpec.describe Ci::RunDastScanService do
            'name' => '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
          },
          'script' => [
-            'export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}',
-            'if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi',
            '/analyze'
          ],
          'artifacts' => {

--- a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
+stages:
+  - build
+  - test
+  - deploy
+  - dast
+
+variables:
+  DAST_VERSION: 1
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
+dast:
+  stage: dast
+  image:
+    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION"
+  variables:
+    GIT_STRATEGY: none
+  allow_failure: true
+  script:
+    - /analyze
+  artifacts:
+    reports:
+      dast: gl-dast-report.json